https://myvirtualdomain.com

6 posts / 0 new
Last post
#1 Thu, 01/25/2007 - 15:07
SeanKelly

https://myvirtualdomain.com

Hi all,

I am trying to enable the setup of an SSL website at the time of adding a new domain. Would like to have any SSL connections for a virtual domain point to /$HOME/httpsdocs

Apache says it supports SSL though I keep getting this error:

Failed to modify server : SSL cannot be enabled unless a virtual IP interface or private port is enabled

I have 2 static IP's, one is added to the interfaces section and seems to be added O.K when creating new domains. I do see the 'Virtual interface' None when I edit Server properties...not sure I understand what needs to be done to make this work.

Is there a step by step I could follow?

S

Thu, 01/25/2007 - 16:23
Joe
Joe's picture

Hey Sean,

You've gotta give an SSL site its own IP...it can't share the IP with any other SSL sites. So, create a virtual server with its own IP and then you'll be able to enable SSL. (This is a limitation of the protocol, not Virtualmin or Apache.)

--

Check out the forum guidelines!

Thu, 01/25/2007 - 16:47
SeanKelly

QUOTE:
So, create a virtual server with its own IP and then you'll be able to enable SSL.

Hey Joe,

That's my problem, not sure HOW to create a virtual server with its own IP if I have 15 domains hosted and 9 of them need an SSL website.

I only have 2 static IP's on my VPS. When I use the other IP as a virtual interface...

Failed to modify server : The virtual interface IP address is already in use

Been palying with the Apache section adding virtual servers on port 443 for one test domain..though I think I might be missing domething here cuz it aint workin'

S

Thu, 01/25/2007 - 16:55 (Reply to #3)
ADobkin

Sean,

If 9 of your domains need an SSL web site, then you need at least 9 static IP addresses.

Thu, 01/25/2007 - 17:01
SeanKelly

Hmmm...then I am really confused now. I have another VPS with 2 static IP's, 51 domains running on Plesk 8.1 and it creates the SSL websites no problem.

Is there a manual way to allow hosting SSL for many sites...aside from having 9 static IP's?

S

Thu, 01/25/2007 - 17:45 (Reply to #5)
Joe
Joe's picture

Hey Sean,

No, it's just not possible in the HTTPS protocol, regardless of how you set it up--again this is not a limitation of Virtualmin or Apache, it is a fact built into the protocol. It's not a question of how to configure it--it is a question of whether the protocol supports name-based virtual hosting...and it doesn't.

But maybe you just want one SSL site, and all of your domains can use it via an alias? Something like:

https://www.yourdomain.tld/secure/customerdomain/

Which points to the users public_html (or some other directory--doesn't have to be a special directory and it's usually easiest just to share the one content dir, as it will make setting up shopping carts and such easier, but I've seen hosts set it up in a special directory called https_docs, or similar).

If this is what you're after, you don't need to enable SSL for any of your shared domains...you'd just create one SSL site on the "yourdomain.tld" and then set up a regex alias that handles the redirection into the users public_html.

Something like this added to the VirtualHost section of the SSL site:

AliasMatch ^/secure/([[^/]]+)(/(.*))? /home/$1/public_html/$3

Will make it work for all other accounts...though sub-servers won't work this way. I'm not sure if there's a good way to catch all sub-servers without adding them individually (because they live in /home/domainname/domsins/sub-servername).

I believe this comes up enough that we probably ought to handle it automatically. If Virtualmin set it up, it'd be possible to handle the sub-domain case, as well.

Actually, now that I think about it, this is a really bad idea. SuExec is going to either break all scripts or render them insecure with this type of setup...unless all of your users that have such domains are trusted, I don't recommend it.

Hmmm...Maybe we can proxy...That might break the actual SSL, though. No longer end-to-end...but maybe the proxy can act as the end point. Argh. Complicated. I'll have to try it. Will ping this thread in a few minutes when I know for sure whether we can solve this with proxying while maintaining the security of SuExec.

--

Check out the forum guidelines!